IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This obsoletes the domain name in the xid2sid calls
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464
(cherry picked from commit ad626b9e6b3c200c70b0d840c956f7b6fff20660)
So far we have initialized idmap domains on demand indexed by name.
For sid2xid this works okay, because we could do lookupsids before
and thus get the name. For xid2sid this is more problematic. We
have to rely on enumtrustdoms to work completely, and we have to
look at the list of winbind domains in the parent to get the domain
name. Relying on domain->have_idmap_config is not particularly nice.
This patch re-works initialization of idmap domains by scanning all
parametric parameters, scanning for :backend configuration settings.
This way we get a complete list of :range definitions. This means
we can rely on the idmap domain array to be complete. This in turn
means we can live without the domain name to find a domain, we can
do a range search by uid or gid.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464
(cherry picked from commit ef0c91195533d95ba4fb7947ff5f69c20aa677b8)
Just moving code, idmap_init will need to reference the variables
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464
(cherry picked from commit d36de86639b7782e1e959d61917d8f19fdfc902c)
This routine takes a regex and goes through all parametric parameters
in [global], matching the regex. It can easily be extended to also
look at shares, but right now it will only be used to list all idmap
config domain names.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464
(cherry picked from commit 443dd9bbbc641ede10a2a3708465f61ea3dfbde3)
This should be an implementation detail in lib/crypto/aes.h.
In future we may add support for other implementations.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 64c6cc34d7cdc48443a9427d2448ede9727aad47)
This fixes a problem where is_myname() returns true if one of our names
is a substring of the specified name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11427
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 4e178ed498c594ffcd5592d0b792d47b064b9586)
We call make_server_info(NULL) and it is possible that we do not free
it, because server_info is not allocated on the memory context we pass
to the function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 6363c0232c2238e1a782e9c22ef762e3ff9b7563)
We set nt_username above but do not use it in this function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit e8c76932e4ac192a00afa3b9731f5921c4b37da6)
In case of timeouts we retry the async_connect_send() and forgot
to remember it, this results in an abort() in async_connect_cleanup()
as the fd is already closed when calling fcntl(F_SETFL).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11316
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit ce3c77fb45ccf4d45a0fa655325e30e748d89245)
Autobuild-User(v4-3-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-3-test): Tue Aug 18 01:35:44 CEST 2015 on sn-devel-104
Callgrind showed that we use 28,165,720,719 cpu cycles to send
a 100MB file to a client using aes-ccm.
With aes-gcm this is raises up to 723,094,413,831 cpu cycles.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11451
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bd0ec51cfca2b3baed60d304125079c74815073a)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11426
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Aug 4 16:48:36 CEST 2015 on sn-devel-104
(cherry picked from commit 95eb6db580678a29b1f5f30a9567ea449a43d75a)
With vfs_fruit option "fruit:encoding = native" we're already converting
stream names that contain illegal NTFS characters from their on-the-wire
Unicode Private Range encoding to their native ASCII representation.
Unfortunately the reverse mapping for stream names was not perfomed.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11278
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1db11998bf1b0eef5f543377700b03ab8739338d)
With vfs_fruit option "fruit:encoding = native" we're already converting
stream names that contain illegal NTFS characters from their on-the-wire
Unicode Private Range encoding to their native ASCII representation.
As as result the name of xattrs storing the streams (via
vfs_streams_xattr) may contain a colon, so we have to use strrchr_m()
instead of strchr_m() for matching the stream type suffix.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11278
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit fb9a64ea37dd4b0cd754fe6d421417a4c8ccbc57)
Somewhere along the line, a config line like "valid users = @foo"
broke when "foo" also exists as a user.
user_ok_token() already does the right thing by adding the LOOKUP_NAME_GROUP
flag; but lookup_name() was not respecting that flag, and went ahead and looked
for users anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11320
Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Marc Muehlfeld <mmuehlfeld@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 28 21:35:58 CEST 2015 on sn-devel-104
(cherry picked from commit dc99d451bf23668d73878847219682fced547622)
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit cef8897f45f1b231d26342688542560bbe695276)
On i386, unsigned long long is 64 bit while the pointer is 32, and
this fails under autobuild with -WError.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 21 05:14:20 CEST 2015 on sn-devel-104
The new default is to disable SSLv3, as this is no longer considered
secure after CVE-2014-3566. Newer GnuTLS versions already disable SSLv3.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
This adds a new option to the smb.conf to allow administrators to disable
TLS protocols in GnuTLS without changing the code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 17 22:09:34 CEST 2015 on sn-devel-104
If we have a broken system which reports incorrect sizes we provide the
'dfree command'. This command makes sure Samba gets the correct values.
However after that we call the quota command which then reports the
broken values. The dfree command should take care to provide the correct
values and in case of quota's it should also calculate the quote
correctly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11403
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We should not leave this uninitialized.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jul 17 19:06:08 CEST 2015 on sn-devel-104
The input value of count is ignored by the server,
but we should not send an uninitialized value.
Found by valgrind.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11404
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 17 14:04:01 CEST 2015 on sn-devel-104
config.h may have some flags which affect glibc behavior, e.g.
_FILE_OFFSET_BITS=64. To make sure these flags have the desired
effect, config.h must be included before any glibc header files.
This commit does not fix a specific known bug. It changes the code to
comply with coding conventions.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: "Stefan Metzmacher" <metze@samba.org>
config.h may have some flags which affect glibc behavior, e.g.
_FILE_OFFSET_BITS=64. To make sure these flags have the desired
effect, config.h must be included before any glibc header files.
This commit does not fix a specific known bug. It changes the code to
comply with coding conventions.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: "Stefan Metzmacher" <metze@samba.org>
This patch sets dns_lookup_realm=false in samba-generated krb5.conf.
Disabling dns_lookup_realm in krb5.conf is the recommended practice for
Kerberos usage in Active Directory environment. dns_lookup_realm is enabled
by default, at least in Heimdal.
When used by samba, Kerberos libraries operate based on either the system
krb5.conf, or a private krb5.conf generated specifically for the domain by
samba code. In the former case, it's the responsibility of the administrator
to set dns_lookup_realm=false. In the latter case, it's the responsibility
of samba - which is what this patch does.
In many usage scenarios the value of this variable is of no consequence
since samba knows the realm in which it is operating, and knows how to
generate service principal names. However, there are some scenarios
in which samba calls kerberos_get_principal_from_service_hostname(),
and here samba consults the Kerberos libraries and this parameter comes
into play. One primary example is cli_full_connection() function.
Not setting dns_lookup_realm leads to a series of DNS TXT record lookups.
This can be observed by running "net ads join -k -U <user>".
In AD environments, the TXT queries typically fail quickly, but test setups
or misconfigured DNS may lead to large timeouts (for example, if the domain
is dept.example.com but there's no parent example.com domain and no DNS
zones for example.com). At the very least we want to avoid those lookups
because they are hardly documented and lead to confusion.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Logging at level 0 may result in log flooding. Additionally log the
share name that failed in SMB_VFS_CONNECT.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jul 16 20:24:47 CEST 2015 on sn-devel-104
Counting on the client list being sorted by last access time,
the list scan for removing timed-out clients is shortened - once
the list is scanned oldest to newest, and once a non-timed-out
client is found, the scan can stop.
Also, finding the oldest idle client for removing an idle client
is simplified - oldest idle client is last idle client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11397
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 16 01:45:20 CEST 2015 on sn-devel-104
Keep client list sorted by last access time, newest
to oldest.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11397
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Add some routines that support keeping the client list sorted
(by last access time) and traversing the list from oldest to
newest
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11397
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Periodically scan winbind client list and close connections
in which either the client is idle, or the request is taking
too long to complete.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11397
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
A recent change was to remove a client if the client socket
has become readable. In this change, a check is added to
determine the source of the readbility (actual readability,
closed connection, or some other error), and a suitable
debug message is printed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11397
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Add an option to wait_for_read_send(), so that the request, upon
calling back, report whether the socket actually contains data
or is in EOF/error state. EOF is signalled via the EPIPE error.
This is useful for clients which do not expect data to arrive but
wait for readability to detect a closed socket (i.e. they do not
intend to actually read the socket when it's readable). Actual data
arrival would indicate a bug in this case, so the check can
be used to print an error message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11397
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This patch allows for early cleanup of client connections if the client
has given up.
Before this patch, any received request would be processed, and then only
upon transmitting the result to the client would winbindd find out the
client is no longer with us, possibly leading to a situation where the
same client tries over and over and increases the number of client
connections.
This patch monitors the client socket for readability while the request
is being processed, and closes the client connection if the socket
becomes readable. The client is not supposed to be writing anything to
the socket while it is waiting, so readability means either that the client
has closed the connection, or that it has broken the protocol.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11397
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Set the winbindd process file descriptor limit according to
the values that affect it in the configuration:
- Maximum number of clients
- Number of outgoing connections per domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11397
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
We check for dir == NULL but dereference it during variable declaration.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jul 14 16:10:44 CEST 2015 on sn-devel-104
